Notifications
Clear all
Topic starter
12/06/2026 10:18 pm
TL;DR: Zero Trust is widely framed as a strategy, not a product, and the article argues that identity, devices, workloads, and transactions must all be verified rather than only user logins, according to Axiad and the Forrester and NIST references it cites. The key implication is that Zero Trust collapses if teams stop at MFA and ignore post-authentication control.
NHIMG editorial — based on content published by Axiad: The Misconceptions of Zero Trust
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: What breaks when zero trust is treated as just MFA?
A: Zero Trust collapses into a front-door control when MFA is treated as the whole model.
Q: Why do non-human identities complicate zero trust programmes?
A: NHIs complicate Zero Trust because they behave like first-class subjects but are often governed like background infrastructure.
Q: How do security teams know whether zero trust is actually working?
A: Teams should look for continuous verification across identity types, not just successful authentication events.
Practitioner guidance
- Redefine the trust boundary around identity, not location Document which identities are in scope for Zero Trust, including users, service accounts, workloads, devices, and APIs.
- Separate authentication from ongoing authorisation Treat successful login as only the first control point.
- Bring non-human identities into the Zero Trust programme Inventory NHIs, classify their privilege, and test whether they are governed by the same trust assumptions as employees.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- How the article frames Zero Trust as a strategy versus a tool, including the historical context from Forrester and NIST.
- Examples of where vendors overstate MFA, ZTNA, or PAM as if each one were the full Zero Trust model.
- The article's discussion of passwordless authentication, PKI certificates, and device verification as implementation patterns.
- The specific reasoning behind extending Zero Trust beyond users to machines, applications, and digital transactions.
👉 Read Axiad's analysis of zero trust misconceptions and identity as the perimeter →
Zero trust and identity: what teams still get wrong?
Explore further
13/06/2026 1:00 am
Zero Trust fails when teams confuse authentication with governance. The article shows how easily the concept is narrowed into a login problem, even though the model was meant to challenge implicit trust everywhere. That confusion is not just semantic, because it allows organisations to declare victory after MFA while leaving machines, workloads, and sessions outside the trust boundary. The implication is that Zero Trust programmes must be judged by scope, not slogans.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how weak the visibility baseline remains for machine identity governance.
A question worth separating out:
Q: Who is accountable when zero trust is reduced to a single tool?
A: Accountability sits with the identity, security, and architecture owners who define the programme, not with the tool alone. Zero Trust is an architectural choice that spans identity, network, endpoint, and application controls, so governance failures happen when organisations assign ownership to one product team instead of to the end-to-end access model.
👉 Read our full editorial: Zero trust misconceptions: why identity is the real perimeter
